IISParser is a PowerShell module to read IIS logs. It's very fast and easy to use. This module is based on IISLogParser library that does all the heavy lifting. You can read quick introduction to IISParser on Reading IIS Logs with PowerShell blog post.
Install-Module -Name IISParser -AllowClobber -Force
Force and AllowClobber aren't necessary, but they do skip errors in case some appear.
Update-Module -Name IISParser
That's it. Whenever there's a new version, you run the command, and you can enjoy it. Remember that you may need to close, reopen PowerShell session if you have already used module before updating it.
The essential thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update may break your code. For example, a small rename to a parameter, and your code stops working! Be responsible!
Using IISParser module is very simple. Just import the module, and read the file as required.
Import-Module IISParser
Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" | Select-Object -First 5 | Format-Table
Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" | Select-Object -Last 5 | Format-Table
Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" -First 5 -Last 5 -Skip 1 | Format-Table
Output of the above command will look like this:
DateTimeEvent sSitename sComputername sIp csMethod csUriStem csUriQuery sPort csUsername cIp
------------- --------- ------------- --- -------- --------- ---------- ----- ---------- ---
07.05.2022 00:00:20 127.0.0.1 GET /api/v1.0/users/[email protected]/Messages $top=1&request_id=26cca5c9-37b6-4d0b-8ae1-31e5cb7ccc72 444 127.0.0.1
07.05.2022 00:00:22 172.16.1.223 RPC_IN_DATA /rpc/rpcproxy.dll Exch1.EVOTEC.XYZ:6001&RequestId=9e1ca7e6-278e-4b98-a9c0-be947b39a582 81 172.16.1.223
07.05.2022 00:00:22 172.16.1.223 RPC_OUT_DATA /rpc/rpcproxy.dll Exch1.EVOTEC.XYZ:6001&RequestId=3acb4929-df94-48c0-bbad-f5f2a39f0ac3 81 172.16.1.223
07.05.2022 00:00:26 172.16.1.223 POST /mapi/emsmdb/ [email protected] 444 Anonymous 172.16.1.223
07.05.2022 00:00:27 172.16.1.223 POST /autodiscover/autodiscover.xml &reqId=e4639aef-215b-420f-8100-1e2f8eca8bcb 444 EVOTEC\masul 172.16.1.223
Of course there are a bit more properties available:
Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" -First 1 -Skip 1 | Format-List
Output of the above command will look like this:
DateTimeEvent : 07.05.2022 00:00:22
sSitename :
sComputername :
sIp : 172.16.1.223
csMethod : RPC_IN_DATA
csUriStem : /rpc/rpcproxy.dll
csUriQuery : Exch1.EVOTEC.XYZ:6001&RequestId=9e1ca7e6-278e-4b98-a9c0-be947b39a582
sPort : 81
csUsername :
cIp : 172.16.1.223
csVersion :
csUserAgent : MSRPC
csCookie :
csReferer :
csHost :
scStatus : 401
scSubstatus : 1
scWin32Status : 2148074254
scBytes :
csBytes :
timeTaken : 64